Configuration for Least Functionality .1 Requirement .1 Requirement

The organization configures the control system to provide only essential capabilities and specifically prohibits and/or restricts the use of functions, ports, protocols, and/or services as defined in an

organizationally generated “prohibited and/or restricted” list.

2.6.7.2 Supplemental Guidance

Control systems provide a wide variety of functions and services. Some of the default functions and services may not be necessary to support essential organizational operations (e.g., key missions,

functions). The functions and services (e.g., voice-over internet protocol [VoIP], instant messaging, file transfer protocol, hypertext transfer protocol [HTTP], file sharing) provided by control systems should be carefully reviewed to determine which are candidates for elimination.

The organization considers disabling unused or unnecessary physical and logical ports (e.g., USB, Personal System/2, file transfer protocol [FTP]) on control system components to prevent unauthorized connection of devices (e.g., thumb drives, keystroke loggers). Organizations can use network scanning tools, intrusion detection and prevention systems, and end-point protections, such as firewalls and host intrusion detection systems, to identify and prevent the use of prohibited ports, protocols, and services.

This can be third-party software or physical methods to control access.

2.6.7.3 Requirement Enhancements

1 The organization reviews the control system periodically or as deemed necessary to identify and eliminate unnecessary functions, ports, protocols, and/or services.

2. The organization employs automated mechanisms to prevent program execution in accordance with defined lists.

3. Use of configuration laptops and or removable electronic media sometimes cannot be avoided. In such cases, approved and authorized devices need to be documented, secured, and available only to specified and approved entities for use.

4. Six wall bordering requirements such as special equipment vaulting, two-man rules, and enhanced inventory control and authorization will be used.

5. In high security situations, it is necessary to separate the duties and access between the system administrator and the cybersecurity officer such that neither can make the changes by themselves. In this case, while the system administrator may have server permission, the security officer maintains and controls physical access to the server and/or dataport locking mechanisms.

2.6.7.4 References NIST SP 800-53r3 CM-7

CAG CC-2, CC-3, CC-4, CC-7, CC-13

API 1164r2 5.7, Annex A

NERC CIPS CIP 007-3. B.R2, B.R2.1-2.3 NRC RG 5.71 App. 5.3, App. B.5.4, App. C.11.8

2.6.8 Configuration Assets

2.6.8.1 Requirement

The organization develops, documents, and maintains an inventory of the components of the control system that:

1. Accurately reflects the current control system

2. Is consistent with the authorization boundary of the control system 3. Is at the level of granularity deemed necessary for tracking and reporting

4. Includes defined information deemed necessary to achieve effective property accountability.

2.6.8.2 Supplemental Guidance

Before a configuration management program can operate, all configurable items should first be uniquely identified and recorded. The organization determines the appropriate level of granularity for any control system component included in the inventory that is subject to management control (e.g., tracking, and reporting). The inventory of control system components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial number, software license information, system/component owner, and for a networked component/device, the machine name and network address). In addition, configuration files, setpoints, alarm points, security filter rules, authorized and approved white lists, and permission files need to be documented and securely stored and backed up. This includes the current operational application files for the operational PLC elements. These files are crucial to effective disaster/incident recovery. The

organization’s maintenance program is responsible for configuration management tasks. Personnel performing maintenance on a control system should refer to and update the configurable assets list to ensure that all control system components are maintained and configured appropriately.

2.6.8.3 Requirement Enhancements

1. The organization updates the inventory of control system components and programming as an integral part of component installation, replacement and system updates.

2. The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of control system components, configuration files and setpoints, alarm settings and other required operational settings.

3. The organization employs automated mechanisms to detect the addition of unauthorized components/devices/component settings into the control system.

4. The organization disables network access by such components/devices or notifies designated organizational officials.

5. The organization includes in property accountability information for control system components, the names of the individuals responsible for administering those components.

2.6.8.4 References NIST SP 800-53r3 CM-8

CAG CC-1, CC-2, CC-4

API 1164r2 Annex A

NERC CIPS CIP 007-3. B.R1

NRC RG 5.71 App. 5.3, App. B.5.4, App. B5.5, App. C.11.8, App. C.11.9

2.6.9 Addition, Removal, and Disposal of Equipment

2.6.9.1 Requirement

The organization implements policy and procedures to address the addition, removal, and disposal of all control system equipment. All control system assets and information are documented, identified, and tracked so that the location and function are known.

2.6.9.2 Supplemental Guidance

The organization sanitizes control system media, both paper and digital, before disposal or reuse. All control system media need to be tracked, documented, and verified as sanitized. The organization periodically verifies the media sanitization process.

2.6.9.3 Requirement Enhancements

1. Specialized critical digital assets must require internal registration, configuration and usage plan, and secure storage before, during and after usage.

2. Critical Digital Assets in security arenas, such as laptop and desktop computers, network gear, hard drives, removable electronic media (e.g., CD/DVD/Tape/USB/SD), must be destroyed on removal from operations, or inspected and undergo approved, documented, de-sanitization procedures (deep formatting or destruction) on being removed from service.

2.6.9.4 References

CAG CC-2

NERC CIPS CIP 007-3, B.R7, R7.1, R7.2, R7.3

NRC RG 5.71 App. B.5.1, App. B.5.5, App. C.1.6, App. C.11.2, App. C.11.9

2.6.10 Factory Default Authentication Management

2.6.10.1 Requirement

The organization changes all factory default authentication credentials on control system components and applications upon installation.

2.6.10.2 Supplemental Guidance

Many control system devices and software are shipped with factory default authentication credentials to allow for initial installation and configuration. However, factory defaults are often well known or easily discoverable. They present an obvious security risk and, therefore, should be changed prior to the device being put into service. In addition, do not embed passwords into tools, source code, scripts, aliases,

or shortcuts. Known legacy components with these deficiencies need to be identified and targeted for higher priority in upgrade/replacement during the next maintenance/upgrade cycle.

2.6.10.3 Requirement Enhancements

Known legacy operational equipment needs compensatory access restrictions to protect against loss of authentication. In addition, these components need to be identified, tested, and documented to verify that proposed compensatory measures are effective.

2.6.10.4 References NIST SP 800-53r3 IA-5

CAG CC-4 API 1164r2 5.5, 5.6, Annex A NERC CIPS CIP 007-3. B.R5.1

NRC RG 5.71 C.3.3.1.4, App. B.1.20, App. B.4.1, App. B.4.7

2.6.11 Configuration Management Plan

2.6.11.1 Requirement

The organization develops and implements a configuration management plan for the control system that:

1. Addresses roles, responsibilities, and configuration management processes and procedures 2. Defines the configuration items for the control system

3. Defines when (in the system development life cycle) the configuration items are placed under configuration management

4. Defines the means for uniquely identifying configuration items throughout the system development life cycle

5. Defines the process for managing the configuration of the controlled items.

2.6.11.2 Supplemental Guidance

Configuration items are the control system items (hardware, software, firmware, and documentation).

Configuration management is the management of planned changes to those items. The configuration management plan satisfies the requirements in the organization’s configuration management policy while being tailored to the individual control system. The configuration management plan defines detailed processes and procedures for how configuration management is used to support system development life-cycle activities at the control system level. It includes the steps for moving a change through the change management process; how configuration settings and configuration baselines are updated; how the control system component inventory is maintained; how development, test, and operational environments are controlled; and how documents are developed, released, and updated. The configuration management approval process includes designation of key management stakeholders that are responsible for reviewing and approving proposed changes to the information system and security personnel that would conduct an impact analysis prior to the implementation of any changes to the system.

2.6.11.3 Requirement Enhancements

The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.

Enhanced Supplemental GuidanceIn the absence of a dedicated configuration management team, the system integrator may be tasked with developing a configuration management process.

2.6.11.4 References NIST SP 800-53r3 CM-9 API 1164r2 Annex A

NERC CIPS CIP 003-3. B.R6

NRC RG 5.71 C.3.1.4, C.4.2, App. B.5.3, App. B.5.4, App. B.5.5, App. C.11.2